Merge pull request #3 from galasa-dev/mcobbett-detect-secrets-adding

detect secrets should be used in this project. Setting a baseline
galasa-dev · Oct 17, 2024 · 3147afb · 3147afb
2 parents b933bde + 4efa710
commit 3147afb
Show file tree

Hide file tree

Showing 2 changed files with 353 additions and 0 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,211 @@
+{
+  "exclude": {
+    "files": "^.secrets.baseline$",
+    "lines": null
+  },
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {
+    "Casks/g/galasactl.rb": [
+      {
+        "hashed_secret": "83284a5406883b67766b7e94d345f9409942d84a",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "e69e8ff55c406ec90a7f38843b96497c07069e44",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "Casks/g/galasactl@0.33.0.rb": [
+      {
+        "hashed_secret": "bb1bfaa5682b608179d35c219b2727d09b4ca4ea",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "0639df56ffc1bb86d8fce8e579a147203b62b804",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "Casks/g/galasactl@0.34.0.rb": [
+      {
+        "hashed_secret": "c1ad569592ebca9f749c7b28775f62e8711b8cbf",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "e6f334ca38a65ff8e24412141019e835e2e7907a",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "Casks/g/galasactl@0.34.1.rb": [
+      {
+        "hashed_secret": "aacb017e1e456863d366c0f5e3995b00692d3d32",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "efc35e0c31d1c41304b2707db78e518f1130bbc4",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "Casks/g/galasactl@0.35.0.rb": [
+      {
+        "hashed_secret": "8925b8501ad17d10e2603a43947c312b8f9f1ecc",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "b1f341eeec92753e61fc917fc94ac540e160bb9b",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "Casks/g/galasactl@0.36.0.rb": [
+      {
+        "hashed_secret": "5205f4320207b08a0e307bb971f8337180d6edcf",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "8906b45a0afff04142bb4e9eddc71e5d281faa5c",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "Casks/g/galasactl@0.37.0.rb": [
+      {
+        "hashed_secret": "83284a5406883b67766b7e94d345f9409942d84a",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 6,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "e69e8ff55c406ec90a7f38843b96497c07069e44",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      }
+    ]
+  },
+  "version": "0.13.1+ibm.62.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}
diff --git a/build-locally.sh b/build-locally.sh
@@ -0,0 +1,142 @@
+#! /usr/bin/env bash 
+
+#
+# Copyright contributors to the Galasa project
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+#-----------------------------------------------------------------------------------------                   
+#
+# Objectives: Build this repository code locally.
+# 
+#-----------------------------------------------------------------------------------------                   
+
+# Where is this script executing from ?
+BASEDIR=$(dirname "$0");pushd $BASEDIR 2>&1 >> /dev/null ;BASEDIR=$(pwd);popd 2>&1 >> /dev/null
+# echo "Running from directory ${BASEDIR}"
+export ORIGINAL_DIR=$(pwd)
+# cd "${BASEDIR}"
+
+cd "${BASEDIR}/.."
+WORKSPACE_DIR=$(pwd)
+cd $BASEDIR
+
+
+#-----------------------------------------------------------------------------------------                   
+#
+# Set Colors
+#
+#-----------------------------------------------------------------------------------------                   
+bold=$(tput bold)
+underline=$(tput sgr 0 1)
+reset=$(tput sgr0)
+red=$(tput setaf 1)
+green=$(tput setaf 76)
+white=$(tput setaf 7)
+tan=$(tput setaf 202)
+blue=$(tput setaf 25)
+
+#-----------------------------------------------------------------------------------------                   
+#
+# Headers and Logging
+#
+#-----------------------------------------------------------------------------------------                   
+underline() { printf "${underline}${bold}%s${reset}\n" "$@" ;}
+h1() { printf "\n${underline}${bold}${blue}%s${reset}\n" "$@" ;}
+h2() { printf "\n${underline}${bold}${white}%s${reset}\n" "$@" ;}
+debug() { printf "${white}%s${reset}\n" "$@" ;}
+info() { printf "${white}➜ %s${reset}\n" "$@" ;}
+success() { printf "${green}✔ %s${reset}\n" "$@" ;}
+error() { printf "${red}✖ %s${reset}\n" "$@" ;}
+warn() { printf "${tan}➜ %s${reset}\n" "$@" ;}
+bold() { printf "${bold}%s${reset}\n" "$@" ;}
+note() { printf "\n${underline}${bold}${blue}Note:${reset} ${blue}%s${reset}\n" "$@" ;}
+
+#-----------------------------------------------------------------------------------------                   
+# Functions
+#-----------------------------------------------------------------------------------------                   
+function usage {
+    info "Syntax: build-locally.sh [OPTIONS]"
+    cat << EOF
+Options are:
+-h | --help - See this help.
+
+Environment variables
+None
+EOF
+}
+
+function check_exit_code () {
+    # This function takes 2 parameters in the form:
+    # $1 an integer value of the returned exit code
+    # $2 an error message to display if $1 is not equal to 0
+    if [[ "$1" != "0" ]]; then 
+        error "$2" 
+        exit 1  
+    fi
+}
+
+function check_secrets {
+    h2 "updating secrets baseline"
+    cd ${BASEDIR}
+    detect-secrets scan --update .secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" 
+    success "updated secrets file"
+
+    h2 "running audit for secrets"
+    detect-secrets audit .secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to audit detect-secrets."
+
+    #Check all secrets have been audited
+    secrets=$(grep -c hashed_secret .secrets.baseline)
+    audits=$(grep -c is_secret .secrets.baseline)
+    if [[ "$secrets" != "$audits" ]]; then 
+        error "Not all secrets found have been audited"
+        exit 1  
+    fi
+    success "secrets audit complete"
+
+    h2 "Removing the timestamp from the secrets baseline file so it doesn't always cause a git change."
+    mkdir -p temp
+    rc=$? 
+    check_exit_code $rc "Failed to create a temporary folder"
+    cat .secrets.baseline | grep -v "generated_at" > temp/.secrets.baseline.temp
+    rc=$? 
+    check_exit_code $rc "Failed to create a temporary file with no timestamp inside"
+    mv temp/.secrets.baseline.temp .secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to overwrite the secrets baseline with one containing no timestamp inside."
+    success "secrets baseline timestamp content has been removed ok"
+}
+
+#-----------------------------------------------------------------------------------------                   
+# Process parameters
+#-----------------------------------------------------------------------------------------                   
+build_type=""
+
+gpg_passphrase=""
+
+while [ "$1" != "" ]; do
+    case $1 in
+        -h | --help )           usage
+                                exit
+                                ;;
+        * )                     error "Unexpected argument $1"
+                                usage
+                                exit 1
+    esac
+    shift
+done
+
+
+#-----------------------------------------------------------------------------------------                   
+# Main logic.
+#-----------------------------------------------------------------------------------------                   
+
+source_dir="."
+
+check_secrets
+
+success "Project ${project} built - OK - log is at ${log_file}"